This scheduled rule detects Okta sessions established via the legacy /api/v1/authn API that occur without a corresponding user.authentication.auth_via_mfa event in the same authentication chain. It accomplishes this by joining legacy session.start events with MFA events using the external_session_id, ensuring that only true single-factor legacy sessions are flagged. The rule targets the gap between legacy global session policy and MFA enforcement, which may be exploited by tooling or misconfigurations to bypass MFA. Data is pulled from Okta cloud service logs and related application logs to establish the auth chain context around session_start_time. The rule maps to MITRE ATT&CK techniques TA0001:T1078.004 (Valid Accounts – Cloud) and TA0005:T1556 (Credential Access). Severity is Medium, reflecting the potential for initial access or credential abuse rather than immediate lateral movement. The Runbook specifies: (1) extract user_email, source_ip, user_agent, and external_session_id from alert_context for a 102 session; (2) query Okta system logs within ±60 minutes of session_start_time to confirm policy.evaluate_sign_on returned ALLOW and that no user.authentication.auth_via_mfa event exists for that external_session_id (the rule already enforces this); (3) broaden the window to session_start_time up to NOW (capped at 4 hours) to search for events such as system.api_token.create, user.mfa.factor.activate, or application.user_membership.add that would indicate persistence or escalation during the MFA-gap; (4) if the available window is under 30 minutes with zero results, mark as pending and schedule a follow-up rather than concluding no abuse. Deduplication is set to 60 minutes. The rule’s tests simulate legacy 102 sessions from Python requests and browser sessions with no MFA events, plus malformed rows that should not fire, providing practical validation of normal vs anomalous behavior. This helps detect policy gaps or attacker activity that attempts to exploit single-factor authentication against Okta’s legacy endpoint and triggers incident investigation and policy hardening actions such as enforcing MFA on legacy paths or updating session policies.